Your privacy is our priority. This policy explains what information PAY9INDIA collects, how we use and protect it, and the choices you have. It applies to our website, kiosks, POS and Micro-ATM devices, agent portal and APIs.
01Who we are
PAY9INDIA ("PAY9INDIA", "we", "us", "our") operates a banking-infrastructure platform that includes Smart ATM Kiosks, AEPS, BBPS Bharat Connect, POS and Micro-ATM devices and an insurance distribution network.
We act as a data fiduciary under the Digital Personal Data Protection Act, 2023 and follow the data-handling norms prescribed by NPCI, UIDAI and other applicable regulators for the services we provide.
02Information we collect
We collect only the data required to deliver our services securely and to meet our regulatory obligations:
- Identity & KYC — name, date of birth, photograph, Aadhaar reference/VID, PAN, and other officially valid documents required for onboarding.
- Contact — mobile number, email and address.
- Transaction — amount, rail (UPI/IMPS/RTGS/AEPS/BBPS), counterparty bank, timestamp, device and terminal ID.
- Biometric — for AEPS we capture a fingerprint solely to create an encrypted authentication block sent to UIDAI. We never store raw biometrics on the device or our servers.
- Technical — IP address, browser/app version, and diagnostic logs used to keep the network secure.
03How we use your information
We use your information to:
- Authenticate you and process the transactions you request.
- Meet KYC, AML, CFT and PMLA obligations and respond to lawful requests from regulators.
- Detect, prevent and investigate fraud and security incidents.
- Provide customer support, receipts and statements.
- Improve the reliability and performance of our platform.
We do not sell your personal data. We do not use your data for advertising.
04Aadhaar & biometric data
When you use an AEPS service, your Aadhaar number and a captured fingerprint are encrypted on the device and transmitted in a UIDAI-compliant PID block for authentication only.
We do not store, copy, share or use your biometric information for any purpose other than the authentication you have requested, in line with the Aadhaar Act and UIDAI regulations.
06How we protect your data
Security is engineered into every layer of our platform.
- PCI-DSS Level 1 certified infrastructure with tokenized card storage.
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Role-based access, full audit trails and continuous monitoring.
- Quarterly VAPT and independent penetration testing.
- ISO 27001:2022 information-security management.
07How long we keep it
We retain personal and transaction data for as long as your account is active and thereafter for the period mandated by applicable banking, PMLA and tax laws (generally five to eight years), after which it is securely deleted or anonymised.
08Your rights
Subject to applicable law, you may:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request erasure where there is no legal duty to retain it.
- Withdraw consent for non-mandatory processing.
- Nominate a representative and raise a grievance.
To exercise any right, write to privacy@pay9india.com. We respond within the timelines set by the DPDP Act.
10Changes to this policy
We may update this policy from time to time. Material changes will be posted on this page with a revised "last updated" date. Continued use of our services means you accept the updated policy.
11Grievance officer
If you have a concern about how your data is handled, contact our Grievance Officer at grievance@pay9india.com. We acknowledge complaints within 48 hours and aim to resolve them within 30 days.